Email MFA OTP Expiry Time and MFA Token Expiry Time

Problem statement

When using Email OTP with MFA API “/mfa/associate” the following error occurs:

There is an error response of “oob_code is expired” when authenticating with the received 6-digit code.

The expiration date of the MFA token set at the time of authentication is 10 minutes, but the “oob_code is expired” error is shorter than 10 minutes occurring in time.


The oob_code expired error reflects an issue with the code expiry, not the MFA token expiry, which looks like they are not linked.


For the Email/SMS OTP code for MFA by default expiry time is 5 Minutes.

General characteristics:
The code length is 6 characters and expires after 5 minutes. A user cannot fail more than 10 times an hour to validate an Email OTP.

Please note that MFA token expiry is different from OTP expiry, both are not configurable.